XMPP Network Domain Spoofing Vulnerability in Prosody Server
CVE-2016-0756

5.3MEDIUM

Key Information:

Vendor

Prosody

Status
Prosody
Vendor
CVE Published:
29 January 2016

What is CVE-2016-0756?

The Prosody XMPP server's mod_dialback module contains a vulnerability in its generate_dialback function, where it fails to adequately separate fields when generating dialback keys. This flaw permits remote attackers to craft specific stream IDs and domain names, enabling them to successfully spoof XMPP network domains. The issue affects versions prior to 0.9.10, making it crucial for users to update to secure the server against potential exploitation.

References

http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://www.securityfocus.com/bid/82241
vdb-entryx_refsource_BID
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.